MORE THAN 180,000 STUDENTS AND alumni at Western Illinois University were at risk of identity theft when their personal information- Social Security numbers, credit card accounts, and other sensitive data-was revealed after hackers tapped into the institution's student information system (SIS) in 2006. Earlier this year, personal information from 46,000 students, faculty, and staff at the University of California at San Francisco was revealed during a possible security breach. And as recent as June 2007, 5,735 current and former faculty members at the University of Virginia had their Social Security numbers, names, and birth dates exposed through a series of system breaches at the university that were discovered dating as far back as 2005.
In 2006 alone, 83 security breaches were reported at 65 colleges and universities worldwide, compromising 2,683,059 records, according to a report titled "Educational Security Incidents Year in Review: 2006," prepared by industry observer Adam Dodge. Interestingly, only 33 of the 83 incidents involved purposeful penetration of an institution's SIS by computer hackers. The majority of data losses occurred through theft, unauthorized disclosure, loss, and impersonation.
For example, personal information regarding political science students at the University of Minnesota was revealed when a laptop containing the unencrypted data was stolen from a professor's car. One hundred Westminster College (Utah) students and alumni had their personal information made available on a public webpage through an innocent error. And 49 Texas A&M students had their personal data compromised when a class roster containing personal identifying information was temporarily lost.
In the first half of 2007, 73 incidents occurred, according to "Educational Security Incidents"-only 10 fewer than occurred in all of 2006. "The breaches are absolutely increasing in frequency," says Rob Guido, director, fusion middleware at Oracle, and nearly 50 percent of all breaches are happening in higher ed, he says. Colleges and universities are likely targets because there is "an abundance of personal information," it is of high quality, and it exists in an open, decentralized environment, he says. Additionally, universities have less money to put towards securing the data, making them more vulnerable to attack.
'A lot of the security training that needs to be provided is awareness-type training.' -Don Volz, Texas State University San Marcos
While preventing hackers from accessing sensitive computer data has been the focus at many institutions of higher education, attention appears to be shifting to reducing the risk of security breaches made via human error.
The EDUCAUSE Center for Applied Research (ECAR) conducted an Information Technology (IT) Security Study in 2006 and found that 69.1 percent of educational institutions had a security awareness program in place for staff, up from 42.2 percent in 2003. Additionally, 68.8 percent of institutions had a security awareness program in place for faculty, up from 38.2 percent in 2003.
What is surprising, however, given these jumps, is that only 20.4 percent reported mandatory security training for staff and 14.5 percent required it for faculty. Yet most colleges and universities have some form of training-mandatory or not-to teach faculty, staff , and students how to use and safeguard the information residing in the SIS.
Common Approaches
Although each educational institution is different, there are generally three types of security training in place, says Rodney Petersen, government relations officer and security task force coordinator at EDUCAUSE, the nonprofit organization dedicated to promoting the use of information technology in higher ed:
1. General user awareness programs designed to promote internet safety and security, which includes information on how to protect personally identifiable information and prevent identity theft. The focus is on the user's role in protecting a computer system and personal information.
2. General employee training regarding safe computing and employee responsibility that touches on skills such as effective password development and protection.
3. Specialized training in how to use a specific campus system, such as SIS or contracts and grants.
